On 12/04/2015 4:41 p.m., Farci, Anatole V wrote: > Hi, > > I have a JavaClient that uses T3S:443 to connect to Oracle's WLS application server. WLS is in DMZ and I have Squid proxy between the DMZ and our Intranet (in its own DMZ) to fwd all requests to WLS. The ports (443) is open since the browsers can talk to the WLS but it appears that the T3S is not going thru the proxy. I have searched to see what I can add to allow this T3 (RMI protocol) to go thru and our Squid configuration is very simple and have a whitelist and allows all traffic on port 80 and 443 to go thru. > > On the client side, I get this error: > javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://xxxx.yyy.intel.com:443: Destination xxx.yyy.zzz.www, 443 unreachable; nested exception is: > java.net.ConnectException: Connection timed out: connect; No available router to destination] Does this Java application support HTTP proxying ? Squid is an HTTP proxy, use of any other protocol over it has to be via HTTP mechanisms. CONNECT requests in this case. It wont help at all if the Java application cannot do HTTP enough to perform an HTTP CONNECT request. > > on the Squid Acccess.log where <dns> and <fqdn> are the correct values and using a browser, I can open reach the WLS with either of them using HTTPS:443 > 1428776399.835 27238 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776414.999 15117 10.254.98.83 TCP_MISS/200 2199 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776430.068 27768 10.254.98.83 TCP_MISS/200 9658 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776445.200 15085 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776460.396 15118 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776480.270 15211 10.254.98.83 TCP_MISS/200 9722 CONNECT <FQDN>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > 1428776495.293 27207 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www - > Yes. However note that HTTPS != T3S > Store.log has this one entry only: > 1428773672.888 RELEASE -1 FFFFFFFF 93F32BC091B147DF27B4355731396BC9 200 1428770072 1428770072 1428773672 application/cache-digest 144/144 GET internal://proxy..intel.com/squid-internal-periodic/store_digest > CONNECT are not cacheable. There is nothing that can be stored to disk. > and the squid config looks like this: > visible_hostname proxy.intel.com > http_port 912 APEX and HTTP protocols are not safe to be mixing up. Use of 3128 is sufficient for Squid proxy (its even registered for Squid use). > > logfile_rotate 30 > cache_access_log C:/squid/var/logs/access.log That should be: access_log C:/squid/var/logs/access.log > > acl all src 0.0.0.0/0.0.0.0 > acl whitelist dstdomain .intel.com > acl http proto http t3 > acl port_80 port 80 > acl port_443 port 443 > acl port_23791 port 23791 > acl CONNECT method CONNECT > > > # rules allowing non-authenticated users > http_access allow http port_80 whitelist > http_access allow CONNECT port_443 whitelist > http_access allow CONNECT port_23791 whitelist Highly dangerous. Please use the recommended defaults: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Then your bit... http_access allow whitelist http_access deny all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users